EU supreme court rules data shar­ing pact with US in­valid

The Euro­pean Union’s high­est court ruled Tues­day that an agree­ment that al­lows com­pa­nies to freely trans­fer data to the U.S. is in­valid as it does not ad­e­quately pro­tect con­sumers.

The ver­dict could have far­reach­ing im­pli­ca­tions for com­pa­nies op­er­at­ing in Europe. It does not ban the trans­fer of data but will al­low na­tional author­i­ties to re­view what kinds of in­for­ma­tion com­pa­nies want to send to the U.S., pos­si­bly com­pli­cat­ing busi­ness.

The rul­ing comes from a case that Aus­trian law stu­dent Max Schrems brought fol­low­ing rev­e­la­tions two years ago by for­mer U.S. Na­tional Se­cu­rity Agency con­trac­tor Ed­ward Snow­den about the NSA’s sur­veil­lance pro­grams.

Schrems com­plained to the data pro­tec­tion com­mis­sioner in Ire­land, where Face­book has its Euro­pean head­quar­ters, that U.S. law doesn’t of­fer suf­fi­cient pro­tec­tion against sur­veil­lance of data trans­ferred by the so­cial media com­pany to servers in the United States.

The agree­ment has al­lowed for the free trans­fer of in­for­ma­tion by com­pa­nies from the EU to U.S. It has been seen as a boost to trade since, ab­sent such a deal, swift and smooth data ex­change over the In­ter­net would be much more dif­fi­cult.

On Tues­day, the Euro­pean Court of Jus­tice ruled that the data shar­ing pact is in­valid. It said that the “safe har­bor” deal en­ables in­ter­fer­ence by U.S. author­i­ties with fun­da­men­tal rights and con­tains no ref­er­ence ei­ther to U.S. rules to limit any such in­ter­fer­ence or to ef­fec­tive le­gal pro­tec­tion against it.

The court said the ef­fect of the rul­ing is that the Ir­ish data com­mis­sioner will now be re­quired to ex­am­ine Schrems’ com­plaint “with all due dili­gence.”

Once it has con­cluded its in­ves­ti­ga­tion, the au­thor­ity must “de­cide whether ... trans­fer of the data of Face­book’s Euro­pean sub­scribers to the United States should be sus­pended on the ground that that coun­try does not af­ford an ad­e­quate level of pro­tec­tion of per­sonal data,” the court said in a sum­mary of its rul­ing.

Face­book said it couldn’t im­me­di­ately com­ment.

Schrems said he hoped the rul­ing will be a mile­stone for online pri­vacy.

“This de­ci­sion is a ma­jor blow for U.S. global sur­veil­lance that heav­ily re­lies on pri­vate part­ners,” Schrems said in a state­ment. “The judg­ment makes it clear that U.S. busi­nesses can­not sim­ply aid U.S. es­pi­onage ef­forts in vi­o­la­tion of Euro­pean fun­da­men­tal rights.”